here is a list of all the privilege escalation tools that were mentioned:

(index=main sourcetype="bash_history" OR sourcetype="cmdhistory" OR sourcetype="powershell_history") (command="*sudo*" OR command="*rm*")

Mimikatz
PowerSploit
Metasploit
BeRoot
Sudo
SUID3NUM
Kernel Exploits
Bloodhound
CrackMapExec
WinPEAS
LinEnum
PowerUpSQL
PsExec
RottenPotatoNG
JuicyPotato
GetSystem
EscalatePL
DBeaver
Empire
Pupy
PrivescCheck
Linux Exploit Suggester
DirtyCOW
CVE-2021-1675 PrintNightmare
Watson
Seatbelt
Sherlock
SharpHound

#CrowdStrike command that can be used to detect potential privilege escalation activities across multiple operating systems:

csquery process
  | where process_name in ("powershell.exe", "cmd.exe", "sh", "bash")
  | where process_integrity_level >= 3 or process_token_elevation_type == "Full"
  | where timestamp > (now() - 1h)
  | project timestamp, computer_name, user_name, process_id, process_name, process_command_line, process_parent_id, process_integrity_level, process_token_elevation_type


#process_create: This command can be used to monitor new process creations on your endpoints, and can help identify processes that are created with elevated privileges. For example:

csquery process_create
  | where timestamp > (now() - 1h)
  | where process_integrity_level >= 3 or process_token_elevation_type == "Full"
  | project timestamp, computer_name, user_name, process_id, process_name, process_command_line, process_parent_id, process_integrity_level, process_token_elevation_type


#filemod: This command can be used to monitor file modifications on your endpoints, and can help identify unauthorized modifications to critical system files. For example:

csquery filemod
  | where timestamp > (now() - 1h)
  | where file_path in ("/etc/passwd", "/etc/sudoers", "C:\\Windows\\System32\\config\\SAM", "C:\\Windows\\System32\\config\\SYSTEM")
  | where event_type == "MODIFY"
  | project timestamp, computer_name, user_name, file_path, process_name, process_command_line

#Above command searches for modifications to critical system files such as /etc/passwd, /etc/sudoers, C:\Windows\System32\config\SAM, and C:\Windows\System32\config\SYSTEM, which could indicate potential privilege escalation activity.


#netconn: This command can be used to monitor network connections on your endpoints, and can help identify suspicious network activity that could indicate privilege escalation attempts. For example:

csquery netconn
  | where timestamp > (now() - 1h)
  | where process_name in ("powershell.exe", "cmd.exe", "sh", "bash")
  | where remote_address not in ("127.0.0.1", "::1")
  | project timestamp, computer_name, user_name, process_name, process_command_line, remote_address, remote_port, protocol


Commandhistoryv2 *requireAdministrator* OR *autoElevate* OR *requestedPrivieges* OR *fodhelper.exe* OR *HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute* OR *DelegateExecute* OR *seamlessly/hidden* OR *SilentCleanup* OR *add hkcu\Environment* OR *Import-Module NtObjectManager* OR *mmc.exe* *GetExitCodeProcess* OR *GetPriorityClass* OR *GrantedAccess* OR *IntegrityLevel* OR *Impersonate* OR *TokenType Impersonation* OR *GetPrivilege* OR *Bypass.ps1* OR *enum* OR *beacon* OR *mimikatz* OR *PowerSploit* OR *Metasploit* OR *Bloodhound* OR *CrackMapExec* OR *WinPEAS* OR *LinEnum* OR *PrivescCheck* OR *Sherlock* OR *PsExec* OR *JuicyPotato*

